Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amahdi
Staff
Staff

Created on ‎01-03-2024 09:56 AM Edited on ‎01-03-2024 10:01 AM By Moderator

Article Id 292323

Troubleshooting Tip: Virtual IP address object periodically stops working with an upstream FortiSwitch

Description

This article describes a possible scenario where a user might have a virtual IP configured on the FortiGate to map traffic to the internal server while having a an upstream FortiSwitch in place.
Scope FortiSwitch, FortiGate.
Solution

See the topology below for reference:

 

ISP ->  port3-FSW -> port6-FGT -> VIP in FGT-> Internal server

 

In this case, the user has 'L2-WAN1-HA' configured under Port 6, which is acting as a WAN interface.

 

edit "L2-WAN1-HA"

set vdom "root"

set allowaccess ping

set role wan

set snmp-index 155

set interface "flink-dmz"

set vlanid 888

 

The VIP is configured with an ext interface set to any:


edit "Server_HTTPS"

set uuid 873d4482-21cc-51ee-3c68-f8ebcfa6bf71
set extip 1.1.1.1
set mappedip "10.250.1.7"
set extintf "any"
set portforward enable
set extport 443
set mappedport 443

 

However, periodically, the VIP stops working as traffic is coming into the FortiGate via L2-WAN1-HA and not port 6. As a result, the debug flow output may show 'reverse path check fail, drop' since FortiGate has set the default to the internet route going through port 6.

 

9.349172 L2-WAN1-HA in 73.10.10.10.10.63804 -> 1.1.1.1.443: syn 3230948464
9.634397 L2-WAN1-HA in 73.10.10.10.10.63805 -> 1.1.1.1.443: syn 746614405

id=20085 trace_id=3833 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6,10.10.10.10.63804 ->1.1.1.1:443) tun_id=0.0.0.0 from L2-WAN1-HA.
flag [S], seq 3167746571, ack 0, win 64240"
id=20085 trace_id=3833 func=init_ip_session_common line=6023 msg="allocate a new session-0a30c107, tun_id=0.0.0.0"
id=20085 trace_id=3833 func=get_new_addr line=1221 msg="find DNAT: IP-10.250.1.7, port-443"
id=20085 trace_id=3833 func=fw_pre_route_handler line=178 msg="VIP-10.250.1.7:443, outdev-unknown"
id=20085 trace_id=3833 func=__ip_session_run_tuple line=3483 msg="DNAT 1.1.1.1:443->10.250.1.7:443"
id=20085 trace_id=3833 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"

 

To avoid this issue, modify the virtual IP address as follows:

 

edit "Server_HTTPS"

set uuid 873d4482-21cc-51ee-3c68-f8ebcfa6bf71
set extip 1.1.1.1
set mappedip "10.250.1.7"
set extintf "any" <- Specify the interface to be to port6.
set portforward enable
set extport 443
set mappedport 443
set gratuitous-arp-interval 30 <- Set GAARP value to 30, for example. (Note that 0 = disable.)
399
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.